Tag Archives: NSA

Howto protect against Just-in-time malware

18 August 2015

On Sunday morning at the breakfast table I always read the latest issue of invincea’s The Cyber Intelligencer. In this week’s issue Michael Applebaum writes about just-in-time malware that is not recognized by any traditional or next generation endpoint protection tools. I fully agree with Michael, that an attacker has to hijack only one endpoint to compromise an entire company network.

But it’s not necessary to exploit unpatched vulnerabilities or zero days. Just use a built-in weakness of a Windows OS, e.g. UAC not set to “Always notify me” as default, to get privileged access and start exploring the victim’s computer and network.

But the worst is yet to come: If the attacker is not too greedy and impatient, it is very hard to detect his activities because only standard windows means are used.

Prevent, detect and contain are the keys to successful protection against such threats. In report Defensive Best Practices for Destructive Malware the NSA’s Information Assurance Directorate shows the direction. It’s worth to note that most of the technical measures described in this report are just built-in functions of operating systems. No rocket science! But the measures on the people and process level make the difference. For details see e.g. bullet point “Protect and restrict administrative privileges”.

Enjoy reading and have a good day!

OPM May Have Exposed Security Clearance Data

7 June 2015

When I read David Sanger’s report ‘Hacking Linked to China Exposes Millions of U.S. Workers’ in the New York Times about the Office of Personnel Management (OPM) attack I was shocked on both, the large number of stolen records and the obviously inadequate protection measures and processes.

‘The intrusion came before the personnel office fully put into place a series of new security procedures that restricted remote access for administrators of the network and reviewed all connections to the outside world through the Internet’.

Are basic protection measures like Two Factor Authentication for all employees for access from the internet to federal computer networks really not in place, not even for the NSA:

‘In acting too late, the personnel agency was not alone: The N.S.A. was also beginning to put in place new network precautions after its most delicate information was taken by Edward J. Snowden.’

And why does it take such a long time until an investigation starts? From a LIFARS blog we learn:

‘The possibility of a data breach was first detected back in April, by the Department of Homeland Security. An internal investigation conducted in May, confirmed that the breach had indeed occurred.’

In the New York Times article we find the reason for this delay:

‘Administration officials said they made the breach public only after confirming last month that the data had been compromised and after taking additional steps to insulate other government agencies from the intrusion.’

Again, it seems to me that basic protection measures like proper network segmentation are not in place. In addition to effective communication processes and business continuity management, which could cut the Mean Time To Identify (MTTI) a breach dramatically due to the Ponemon 2015 Cost of Data Breach Study, page 24, figure 24.

Take care!